1. Field of the Invention
The present invention relates to encryption and decryption with endurance to cryptanalysis method.
2. Description of the Related Art
A conventional encrypting apparatus is composed of an input unit, a storage unit, an encryption processing unit and an output unit. A plaintext is supplied to the encryption processing unit from the input unit. The encryption processing unit always carries out an encrypting operation in accordance with a predetermined processing procedure at each of a plurality of processing stages of the encrypting operation to generate a ciphertext, while storing an intermediate data at each processing stage in the storage unit. The intermediate data is required at the next processing stage of the encrypting operation. The generated ciphertext is output from the output unit. In this case, the time period from the time when the encrypting operation is started to the time when a specific intermediate stage of the encrypting operation is started is approximately constant.
It should be noted that a method of implementing cipher algorithm is described in detail in “Applied Cryptography” by Bruce Shneier (John Wieley & Sons, Inc., 1996, ISBN 0-471-11709-9, pp. 623–673.
In the above mentioned conventional example of the encrypting apparatus, cryptanalysis methods such as a simple power analysis and a differential power analysis are effective. The simple power analysis and the differential power analysis uses the feature that the consumption power becomes larger when a data held in a semiconductor device is changed, compared with a case that the held data is not changed. In the cryptanalysis method, the power consumption of the encrypting apparatus is measured at a plurality of timings while the encrypting operation of a plaintext is carried out to specify secret information such as a secret key (an encrypt key) in the encrypting apparatus.
The following two conditions must be met for the purpose that the simple power analysis or the differential power analysis functions effectively. That is, the first condition is that an executed stage of the encrypting operation can be specified each time the power consumption is measured. The second condition is that the measured value of the power consumption at each stage conspicuously reflects the calculation result of the encrypting operation carried out in the encrypting apparatus.
When the above-mentioned two conditions have been met in the conventional encrypting apparatus, the simple power analysis or the differential power analysis functions effectively to make the decryption possible. This is applied to a decrypting apparatus and an encrypting and decrypting apparatus in the same manner.
A method of encrypting data is disclosed in Japanese Laid Open Patent Application (JP-A-Heisei 9-230786) and Japanese Laid Open Patent Application (JP-A-Heisei 8-504067) in relation to the above conventional technique. In these references, differential decipherment and linear decipherment are prevented. The intermediate results of the encrypting operation are changed without depending on the random numbers and an encrypt key is changed in dependence on the random numbers.
Also, an improved secretness in the encrypting communication device is disclosed in Japanese Laid Open Patent Application (JP-A-Heisei 8-504067). In this reference, when power is turned off, key information stored in a volatile memory in the encrypting apparatus is dynamically erased, and the same key information is re-loaded when the supply of power is resumed.
Even if these techniques are combined, it is very difficult to remove the dependence of the finally outputted ciphertext on the random numbers.
In conjunction with the above description, a verification method is disclosed in Japanese Laid Open Patent Application (JP-A-Heisei 10-210023). In this reference, the first station and the second station stores common secret information Ka (K′a) in storage sections (13) and (43) at each station. The first station transmits to the second station, the user information (Ia) indicating that the first station is a first station. One of the first and second stations generates and transmits random numbers r to the other station. The first station generates first verification information using the random numbers, secret information and predetermined algorithm, and transmits it to the second station. The second station generates second verification information using the random numbers, secret information and the predetermined algorithm. The second station compares the first verification information and the second verification information and determines authority of the first station based on whether both are the same.
Also, a method of generating a hash value is disclosed in Japanese Laid Open Patent Application (JP-A-Heisei 10-340048). In this reference, when a message is given, divisional data of the message are inputted and monomorphism expansion processing is carried out to output a data which is longer than the divisional data. Also, a hash value is generated by a hash function which contains a multiplying process and circulated shifting process. In this way, a hash value and a key or a ciphertext with a high data distortion are quickly generated.
Also, a computer supporting exchanging method of an encrypt key between a user computer unit U and a network computer unit N is disclosed in Japanese Laid Open Patent Application (JP-A-Heisei 10-510692). In this reference, the length of a message to be transmitted is reduced. The first intermediate key and the second intermediate key are generated in dependence on the random numbers. In a network computer unit and a user computer unit, by carrying out the exclusion OR calculation of the first intermediate key and the second intermediate key for every bit, a session key is calculated. This key is not absolutely transmitted in a plaintext. For example, a predetermined function such as a symmetrical encrypting function, a hash function and a one-way function is used. Thus, the network computer unit and the user computer unit are verified each other.